Professional Documents
Culture Documents
Muzahir Saleem
Department of Computer science, University of Engineering and Technology
Lahore, Pakistan
Haseeb Manzoor
Department of Analytics, Dublin Business School, Ireland
ABSTRACT
Digital forensic is used to investigate digital crime. Cyber Attacks through botnets become
the most dangerous attacks on the internet. Digital Forensic investigation of the Botnets
attacks is challenging. Attackers are growing with the ability to arrange more complex attacks
using Botnets. It is necessary to strengthen the digital forensic to deal with such attacks.
Machine learning plays an important role in network forensics and detecting these kinds of
botnet attacks in an efficient manner and in less time. Different network forensic techniques
used machine learning algorithms. Machine learning algorithms are not only used to detect
but also used to prevent Botnet attacks. survey of the different Botnet attacks and digital
forensic investigation techniques to deal with the botnet attacks has been presented in this
paper. there is a need for a standard framework for forensic analysis of Botnet detection to
present the evidence in the court of law. Different network forensic techniques has also been
discussed in the paper.
Key words: Botnet Forensics, Machine Learning, Network Forensics, Honey Pots, Deep
Packet Inspection, Machine Learning Algorithms
Cite this Article: Nosheen Manzoor, Muzahir Saleem, Muhammad Aslam and Haseeb
Manzoor, Role of Machine Learning Techniques in Digital Forensic Investigation of Botnet
Attacks, International Journal of Management, 12(2), 2021, pp 583-592.
http://www.iaeme.com/IJM/issues.asp?JType=IJM&VType=12&IType=2
1. INTRODUCTION
In this Modern era where everything is interconnected with the help of networking cybercrime is also
increasing day by day. In this cyber world, it is important to know or trace the actions of different
users to control cyber-crime. To proof the digital crime in a court of law it is important to dig out the
pieces of evidence by deploying intelligent systems to trace the user’s behavior or actions. As the
Black hat community is famous for doing malicious activities to harm the users and Botnet is the
trending threat for today’s digital world.
The botnet is a combination of malware-infected devices their main function is to generate more
Bots continuously. A Botnet performs controlled functions commanded by the controller. [1] Botnet
detection is a serious issue in digital forensics. Now machine learning algorithms are used to detect
Botnet activities.
SVM (Support Vector Machine) and packet histogram techniques can be used to improve Botnet
detection [2]. KNN model can be used to analyze and textual Spam e-mail [3].to extract the
knowledge summarization technique is used by the author.[4]
Narang et al. [5] suggested a framework for the architecture of P2P botnet traffic detection. To
process every single pair of node machine learning algorithms are used by the author. Barathkur et
al. [6] differentiate the normal P2P and P2p traffic for binary classification. The author classified the
P2P data by applying the SVM Algorithm, combining both web-based and P2P traffic Alexey Kiselev
et a. [7], reported in 2019 about the 32% increase in attacks in the second half of 2019, and only half
of those attacks have been identified. In 2019 a DDOS attack was accomplished which was lasts up
to 509 hours or 21 days and these attacks generated magnificent security risks [8]. The main problem
in conducting the forensic investigation is that no standard network forensic technique has been
evolved that can identify and trace the attack behavior [9]. Many researchers have used machine
learning algorithms for DDOS detection but the problem is that all these need much time for execution
and still have ambiguity in the investigation of botnets attacks [10].
2. BOTNETS
This section highlights the background, architecture, malicious activities, and attacks performed by
botnets.
while in passive propagation method needs a user to approach the sites, or click on the emails and
spams to download the malware into the machines to make it part of the Botnet[20][24]. In Botnet
architecture, Botmaster is the controller who issues and receives commands from the infected hosts.
as shown in fig 2. This infrastructure is called Command and control (C&C).C&C has many different
types including 1) P2P 2) Centralized 3)Hierarchal 4) Hybrid [24][25]. The centralized infrastructure
of Botnet uses HTTP protocol and IRC to send and receive commands [25][21].
3. DIGITAL FORENSIC
Digital forensics is the affair of precise spot and gathering electronic information that is saved in
digital devices, preserving and analyzing the information, and submitting it to the court as evidence.
Depending on the subject of analysis, digital forensics includes disk forensics, system forensics,
network forensics, Internet forensics, mobile forensics, database forensics, and cryptographic
forensics [df1 (Jae-Ung Lee & Woo-Young Soh, 2020, #)
in the court of law. The last phase is the presentation phase which is used to document all the
evidence/reports/data from the start of the investigation to the presentation in the court.[27]
4.1 Honeypots
Honeypots are simulated devices and these devices perform their functions in a controlled virtual
setup. Honeypots fascinate the attackers and malware-infected bots. Honeypots have two different
types1) Low interaction honeypots and 2) High interaction honeypots used to gather information by
imitating the complete system (e.g windows and Linux) etc. The main advantage of Honeypots is that
all attacks, malware infections, and unauthorized access attempts are automatically logged by the
operators of honeypots to make prediction patterns for future use. [35] [36][37][38][39][40].
Pham and Dacier proposed low interaction honeypot systems whose main focus is to develop a
system that automatically identifies Botnet attacks from large datasets.[40]. Kumar et al. [36]
suggested a honeynet architecture that is completely automated and can also reconfigure itself. Mittal
and Singh developed a methodology to find out the rules of the Intrusion Detection System from the
collection of Honeypots data.[37].
Paradise et al. [39] proposed a tool named ProfileGen. This tool was used to authentic and
appealing social profiles as honeypots and attackers attract towards these profiles. Jeong et al.[35]
has worked to handle or to investigate the wide-range events. The author has proposed a Bitmap-
based Widespread Event detection protocol. Agents and coordinators exchange these bitmaps with
each other than by the end these bitmaps are used to identify and categorize the widespread events.
6. CONCLUSION
In this survey paper, we tried to explore the effect of a Machine learning algorithm in the forensic
investigation of malicious Botnet detection. Initially, we furnish this paper with the background of
the Botnet, Digital Forensics, and Network forensics methods for investigating Botnets. The network
Forensic methods discussed in this paper were Honeypots, Deep Packet Inspection, Network flow.
Then we discussed the role of a Machine learning algorithm in improving the results of the detection
of Botnets. In the field of forensic analysis of Botnet detection limited work has been done. A
significant amount of work on detection of Botnet with a Machine learning algorithm has been done
but there is a need for a standard framework for forensic analysis of Botnet detection to present the
evidence in the court of law.
REFERENCES
[1] A. Bijalwan, V. K. Solanki, and E. S. Pilli, “Botnet forensic: issues, challenges, and good practices,”
Network Protocols and Algorithms, vol. 10, no. 2, 2018.
[2] S. Kondo and N. Sato, “Botnet traffic detection techniques by C & C session classification using
SVM,” in Proceedings of the International Workshop on Security, Vienna, Austria, September 2007.
[3] R. M. Alguliev, R. M. Aliguliyev, and S. A. Nazirova, “Classification of textual e-mail spam using
data mining techniques,” Applied Computational Intelligence and Soft Computing, vol. 2011, Article
ID 416308, 8 pages, 2011.
[4] S. Garg, A. K. Singh, A. K. Sarje, and S. K. Peddoju, “Behaviour analysis of machine learning
algorithms for detecting P2P botnets,” in Proceedings of the 15th international conference on
Advanced computing technologies (ICACT), Rajampet, India, September 2013
[5] P. Narang, V. Khurana, and C. Hota, “Machine-learning approaches for P2P botnet detection using
signal-processing techniques,” in Proceedings of the 8th ACM International Conference on Distributed
Event-Based Systems, pp. 338–341, Mumbai, India, May 2014.
[6] P. Barthakur, M. Dahal, and M. K. Ghose, “A framework for P2P botnet detection using SVM,” in
Proceedings of the International Conference on Cyber-Enabled Distributed Computing and
Knowledge Discovery (CyberC), p. 195_0, Sanya, China, October 2012.
[7] E. Sulaeman, “Kaspersky: Serangan ddos melonjak selama kuartal kedua 2019,”
https://cyberthreat.id/read/1989/Kaspersky-Serangan- DDoS-Melonjak-Selama-Kuartal-Kedua-2019/
, 2019, online; Accessed 18 August 2019.
[8] W. Lee, C. Wang, and D. Dagon, Botnet detection: countering the largest security threat. Springer
Science & Business Media, 2007.
[9] R. T. Wiyono and N. D. W. Cahyani, "Performance Analysis of Decision Tree C4.5 as a Classification
Technique to Conduct Network Forensics for Botnet Activities in Internet of Things," 2020
International Conference on Data Science and Its Applications (ICoDSA), Bandung, Indonesia, 2020,
pp. 1-5, doi: 10.1109/ICoDSA50139.2020.9212932.
[10] A. Azmoodeh, A. Dehghantanha, and K.-K. R. Choo, “Robust malware detection for internet of
(battlefield) things devices using deep eigenspace learning,” IEEE Transactions on Sustainable
Computing, vol. 4, no. 1, pp. 88–95, 2018
[12] Atluri A.C., Tran V. (2017) Botnets Threat Analysis and Detection. In: Traoré I., Awad A., Woungang
I. (eds) Information Security Practices. Springer, Cham. https://doi.org/10.1007/978-3-319-48947-6_2
[13] Andriesse D, Bos H (2014) An analysis of the ZeuS peer-to-peer protocol. IR-CS-74, rev
[14] Falliere N, Chien E (2009) Zues: King of the bots. Symantec Corporation, Cupertino, CA
[15] Baltazar J, Costoya J, Flores R (2009) The real face of KOOBFACE: the largest web 2.0 botnet
explained. Trend Micro Threat Research
http://www.iaeme.com/IJM/index.asp 590 editor@iaeme.com
Nosheen Manzoor, Muzahir Saleem, Muhammad Aslam and Haseeb Manzoor
[16] Thomas K, Nicol DM (2010) The Koobface botnet and the rise of social malware. Proceedings of the
5th IEEE International Conference on Malicious and Unwanted Software, Malware, 2010, pp 63–70
[17] Sophos Press Release (2007) Sophos Facebook ID probe shows 41% of users happy to reveal all to
potential identity thieves. https://www.sophos.com/en-us/press-office/press-releases/ 2007/08/
facebook.aspx
[18] Fortinet White Paper (2013) Anatomy of a botnet. Fortinet, Sunnyvale. www.fortinet.com SANS
Institute InfoSec Reading Room (2015) Defense in depth. https://www.sans.org/readingroom/
whitepapers/basics/defense-in-depth-525. Accessed 30 July 2015
[20] S. Khattak, N. R. Ramay, K. R. Khan, A. A. Syed, and S. A. Khayam, ``A taxonomy of botnet behavior,
detection, and defense,'' IEEE Commun. Surveys Tuts., vol. 16, no. 2, pp. 898_924, 2nd Quart., 2014.
[21] S. S. C. Silva, R. M. P. Silva, R. C. G. Pinto, and R. M. Salles, ``Botnets: A survey,'' Comput. Netw.,
vol. 57, no. 2, pp. 378_403, 2013
[22] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, ``DDoS in the IoT:Mirai and other botnets,''
Computer, vol. 50, no. 7, pp. 80_84, 2017.
[23] https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
[24] N. Negash and X. Che, ``An overview of modern botnets,'' Inf. Secur. J., Global Perspective, vol. 24,
nos. 4_6, pp. 127_132, 2015.
[25] A. Bijalwan, M. Thapaliyal, E. S. Pilli, and R. C. Joshi, ``Survey and research challenges of botnet
forensics,'' Int. J. Comput. Appl., vol. 75,no. 7, pp. 43_50, 2013.
[26] Ullah, Ihsan & Khan, Naveed & Aboalsamh, Hatim. (2013). Survey on botnet: Its architecture,
detection, prevention and mitigation. 660-665. 10.1109/ICNSC.2013.6548817.
[27] R. Kaur and A. Kaur, ``Digital forensics,'' Int. J. Comput. Appl., vol. 50, no. 5, pp. 59, 2012.
[28] Y. Yusoff, R. Ismail, and Z. Hassan, ``Common phases of computer forensics investigation models,''
Int. J. Comput. Sci. Inf. Technol., vol. 3, no. 3, pp. 1731, 2011.
[29] S. Khan, A. Gani, A. W. A. Wahab, M. Shiraz, and I. Ahmad, ``Network forensics: Review, taxonomy,
and open challenges,'' J. Netw. Comput. Appl., vol. 66, pp. 214_235, May 2016.
[30] R. Hunt and S. Zeadally, ``Network forensics: An analysis of techniques, tools, and trends,'' Computer,
vol. 45, no. 12, pp. 36_43, Dec. 2012.
[31] N. Moustafa and J. Slay. (2017). ``RCNF: Real-time collaborative network forensic scheme for
evidence analysis.'' [Online]. Available: https://arxiv.org/abs/1711.02824
[32] [32] M. Keshk, N. Moustafa, E. Sitnikova, and G. Creech. (2017). ``Privacy preservation intrusion
detection technique for SCADA systems.'' [Online]. Available: https://arxiv.org/abs/1711.02828
[33] N. Koroniotis, N. Moustafa, E. Sitnikova, and J. Slay. (2017). ``Towards developing network forensic
mechanism for botnet activities in the IoT based on machine learning techniques.'' [Online]. Available:
https://arxiv.org/abs/1711.02825
[34] Moustafa, J. Slay, and G. Creech, ``Novel geometric area analysis technique for anomaly detection
using trapezoidal area estimation on largescale networks,'' IEEE Trans. Big Data, to be published
[35] J. Jeong, S. M. A. Naqvi, and M. Yoon, ``Accurate and communicationef _cient detection of
widespread events,'' IEEE Access, vol. 6, pp. 61728_61734, 2018.
[36] S. Kumar, P. Singh, R. Sehgal, and J. S. Bhatia, ``Distributed honeynet system using gen III virtual
honeynet,'' Int. J. Comput. Theory Eng., vol. 4, no. 4, pp. 537_541, 2012.
[37] S. Mittal and R. Singh, ``A support vector approach for formulating IDS rules using honeypot data,''
Adv. J. Comput. Sci. Eng., vol. 4, pp. 1_5, Jun. 2016.
[38] N. Naik, P. Jenkins, R. Cooke, and L. Yang, ``Honeypots that bite back: A fuzzy technique for
identifying and inhibiting _ngerprinting attacks on low interaction honeypots,'' in Proc. IEEE Int. Conf.
Fuzzy Syst. (FUZZIEEE), Jul. 2018, pp. 1_8.
[39] A. Paradise, D. Cohen, A. Shabtai, and R. Puzis. (2018). ``Generation of automatic and realistic
arti_cial pro_les.'' [Online]. Available:https://arxiv.org/abs/1807.00125
[40] V.-H. Pham and M. Dacier, ``Honeypot trace forensics: The observation viewpoint matters,'' Future
Gener. Comput. Syst., vol. 27, no. 5, pp. 539_546, 2011.
[41] N. Koroniotis, N. Moustafa and E. Sitnikova, "Forensics and Deep Learning Mechanisms for Botnets
in Internet of Things: A Survey of Challenges and Solutions," in IEEE Access, vol. 7, pp. 61764-
61785, 2019, doi: 10.1109/ACCESS.2019.2916717.
[42] Z. Chen, F. Han, J. Cao, X. Jiang, and S. Chen, ``Cloud computing-based forensic analysis for
collaborative network security management system,'' Tsinghua Sci. Technol., vol. 18, no. 1, pp. 40_50,
Feb. 2013.
[43] Anchit Bijalwan, "Botnet Forensic Analysis Using Machine Learning", Security and Communication
Networks, vol. 2020, Article ID 9302318, 9 pages, 2020. https://doi.org/10.1155/2020/9302318
[44] M. Shafiq, Z. Tian, A. K. Bashir, X. Du and M. Guizani, "CorrAUC: a Malicious Bot-IoT Traffic
Detection Method in IoT Network Using Machine Learning Techniques," in IEEE Internet of Things
Journal, doi: 10.1109/JIOT.2020.3002255.
[45] R. T. Wiyono and N. D. W. Cahyani, "Performance Analysis of Decision Tree C4.5 as a Classification
Technique to Conduct Network Forensics for Botnet Activities in Internet of Things," 2020
International Conference on Data Science and Its Applications (ICoDSA), Bandung, Indonesia, 2020,
pp. 1-5, doi: 10.1109/ICoDSA50139.2020.9212932.
[46] S. S. Silva, R. M. Silva, R. C. Pinto, and R. M. Salles, “Botnets: A survey,” Computer Networks, vol.
57, no. 2, pp. 378 – 403, 2013
[47] M. Stevanovic and J. Pedersen, “Machine learning for identifying botnet network traffic,” Aalborg
University, Tech. Rep., 2013.
[48] Strayer W.T., Lapsely D., Walsh R., Livadas C. (2008) Botnet Detection Based on Network Behavior.
In: Lee W., Wang C., Dagon D. (eds) Botnet Detection. Advances in Information Security, vol 36.
Springer, Boston, MA. https://doi.org/10.1007/978-0-387-68768-1_1
[50] S. Saad et al., "Detecting P2P botnets through network behavior analysis and machine learning," 2011
Ninth Annual International Conference on Privacy, Security and Trust, Montreal, QC, 2011, pp. 174-
180, doi: 10.1109/PST.2011.5971980.